Install and setup Hashicorp vault using docker and authorize using ODBC Keycloak.
Create directory structure:
├── backup
├── config
│ └── config.hcl
├── data
├── logs
mkdir -p backup config data logs
```bash
Create `data/config.hcl` :
```bash
storage "raft" {
path = "vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "true"
}
disable_mlock = true
api_addr = "http://0.0.0.0:8200"
cluster_addr = "http://127.0.0.1:8201"
ui = true
Run docker container:
docker run --rm --name="vault" -p8200:8200 -p8201:8201 --cap-add=IPC_LOCK -v `pwd`:/vault vault server
Open WEB UI:
http://localhost:8200/ui/vault/init
Choose Create a new Raft cluster
on WEB UI
Run command
docker exec -it vault ash
Inside docker container execute this commands:
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init
It will generate 5 shared keys.
example output of vault operator init
command:
Unseal Key 1: w73rz287ifgsjdfgwuezgf
Unseal Key 2: sudztgfcg8twetf8eqwgfs
Unseal Key 3: iqrz78qfz87q3f328gf832
Unseal Key 4: owez32fz83277zf8327f23
Unseal Key 5: 3uwezfguwzegfuzwefguzw
Initial Root Token: hvs.sakhjbfiefz8q7q
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Go to WEB UI and Unseal Vault with any of Unseal Keys
generated in previous step.
After that login with Initial Root Token.
Open WEB UI and go to Access > Auth Methods -> Enable new method -> OIDC
Choose Next -> Enable Method
Curl:
curl --request PUT \
--url http://127.0.0.1:8200/v1/auth/oidc/config \
--header 'Authorization: Bearer hvs.XXXXXX' \
--header 'Content-Type: application/json' \
--data '{
"default_role": "reader",
"oidc_client_id":"vault",
"oidc_client_secret":"KCXXXXXXX",
"oidc_discovery_url":"https://keycloak.example.com/realms/myrealm"
}'
Create role
curl --request POST \
--url http://127.0.0.1:8200/v1/auth/oidc/role/reader \
--header 'Authorization: Bearer hvs.XXXXXX' \
--header 'Content-Type: application/json' \
--data '{
"bound_audiences": "vault",
"allowed_redirect_uris": "http://localhost:8200/ui/vault/auth/oidc/oidc/callback",
"user_claim": "sub",
"groups_claim": "resource_access/vault/roles"
}'
Open client (example client name vault
)
Open tab client scopes
Open Dedicated scope and mappers for this client
(vault-dedicated)
Click Add mapper -> From predefined mappers
Search for roles
, select client roles
and click Add
Click on newly created Token mapper
(client role)
For Client ID
select service in this example (vault)
Click Save
Open client (example client name vault
)
Open tab Roles
Create role kv-manager
Assigne role to user
Open vault WEB UI
Got to Policies -> Create ACL policy.
Type kv-manager
for policy name.
For policy paste this code:
path "sys/health"
{
capabilities = ["read", "sudo"]
}
# Create and manage ACL policies broadly across Vault
# List existing policies
path "sys/policies/acl"
{
capabilities = ["list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Enable and manage authentication methods broadly across Vault
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# Enable and manage the key/value secrets engine at `secret/` path
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
capabilities = ["read"]
}
Create policy.
Would you like to know more?
https://learn.hashicorp.com/tutorials/vault/policies#write-a-policy
Got to Access -> Groups -> Create Group
Type kv-manager
for group name, for type select external
and for Policies select policy that you just created kv-manager
Select Create
.
Aliases
kv-manager
Auth Backend
select oidc/(oidc)Logout from vault WEB UI and login again using OIDC Method
Set OIDC Method as Default method:
Access vault command line:
docker exec -it vault ash
Inside container run this commands:
export VAULT_ADDR='http://127.0.0.1:8200'
vault login
Enter Token (will be hidden)
Where to find token?
Open vault WEB UI and in upper right corner under user profile copy token.
Finnaly Set OIDC Method as Default method:
vault auth tune -listing-visibility="unauth" oidc/
https://www.vaultproject.io/docs/secrets/cubbyhole
Vault Logout always default to token auth method on login page
https://github.com/hashicorp/vault/issues/10816
https://learn.hashicorp.com/tutorials/vault/sop-restore
https://learn.hashicorp.com/tutorials/vault/sop-backup?in=vault/standard-procedures
https://learn.hashicorp.com/tutorials/vault/raft-storage
https://discuss.hashicorp.com/t/how-to-make-a-policy-for-creating-raft-storage-snapshots/14270/2
https://stackoverflow.com/questions/63878533/vault-error-server-gave-http-response-to-https-client
https://learn.hashicorp.com/tutorials/vault/getting-started-deploy
https://www.vaultproject.io/docs/configuration/storage/raft